How To Protect your WordPress Site from the Genericons Example.html XSS

Introduction

On May 6th, 2015, a critical WordPress bug was disclosed that potentially affects millions of users. The vulnerability, which actually stems from components that make use of the “Genericons” icon font package, can leave your site open to cross-site scripting (XSS) attacks.

In this article, we’ll explain the impact of the vulnerability, how to check if your site is vulnerable, and what actions you should take if you find that you are affected.

Explanation of the Vulnerability

The actual vulnerability is present in a font package called “Genericons” and not the core WordPress installation. Unfortunately, this font package is used by “TwentyFifteen”, the theme installed and enabled in WordPress by default. The vulnerability also affected a popular WordPress customization and enhancement plugin called “JetPack”, which has over one million active installations, and possibly plugins and themes as well.

The vulnerability exists in a single file called example.html which is included in the Genericon package. This is a non-essential file which was included to showcase the font. However, it includes a jQuery snippet that introduces a vulnerability potentially allowing DOM-based cross-site scripting exploits. Any themes or plugins that used the more modern versions of the “Genericons” package without removing this file were vulnerable.

A DOM-based cross-site scripting attack works by altering the DOM environment as interpreted by a user’s browser, causing the scripted actions to execute in a way contrary to their original design. In order to exploit the vulnerability, a user must be enticed to click a specially crafted link while logged into a WordPress installation. If an application has this type of vulnerability, the server cannot easily prevent unwanted behavior because the actions occur within the browser itself. Fortunately, removing the vulnerability is trivial in this case.

Does My Server Have this Vulnerability?

On May 7th, 2015, WordPress 4.2.2 was released, which patches this issue. If you installed or updated to the latest version of WordPress on or after this date, your installation should be secured. Any DigitalOcean Droplets that have been created from the WordPress one-click on or after this date should not be vulnerable.

If you are operating a WordPress instance that was installed prior to this date and have not updated to 4.2.2, your site may be vulnerable. If so, your admin panel will display a warning that looks like this:

You can also go to your server’s document root and look for the example.html files themselves. For instance, if you are in your server’s document root, you can type:

In the above example, an example.html file was found in the TwentyFifteen theme, indicating that this installation is vulnerable. The example.html files within the other themes shown here are not actually vulnerable as they do not include the offending jQuery lines. Look for example.html files within the twentyfifteen/genericons directory or within any plugins you might have.

How to Patch your Installation

The recommended way to patch your system is simply to upgrade WordPress. This will not only secure your system against this vulnerability, but also any other issues that may have been fixed.

If your permissions allow it, you can usually upgrade your installation using the admin panel update controls. You may see this option as a link on the main page (as shown in the previous screen shot). If not, you can go to the “Updates” option in the control panel and click on the “Update Now” button:

You will also likely have to update your themes and plugins separately.

Although we highly recommend that you update WordPress completely (along with any affected themes or plugins), you can also easily manually delete the offending files.

To do so, log into your WordPress server and navigate to your document root directory. You can remove the offending files by typing:

sudo find . -path “*/genericons/example.html” -exec rm -f {} \;

You can then check your directory structure again:

find . -path “*/genericons/example.html”

All of the example.html instances within a genericons directory should be removed.

Conclusion

While the number of users that were vulnerable to this bug was very high, the fix is very straight forward and can be accomplished through the normal WordPress update method. If you have manage WordPress installations for your own purposes or for clients, the patch available in 4.2.2 will close this vulnerability easily. As always, one of the best methods to keep your WordPress installations secure is to ensure that you apply any security updates immediately.